The number of security vulnerabilities continues to skyrocket. After setting a record last year, the number of reported Common Vulnerabilities and Exposures (CVEs) is on pace to set yet another record this year.
In 2017, more than 14,000 CVEs were reported, affecting a vast range of devices, systems and applications. So far in 2018, more than 12,000 CVEs have been reported, and if that pace continues, we should move past last year’s record number in the next two months.
If you design or produce an IoT device or other embedded system product, how do you manage that rising tide of vulnerabilities?
How do you cut through the noise and focus on only those vulnerabilities that matter to your devices and versions in deployment?
These questions are at the heart of vulnerability management, the process of monitoring, analyzing and fixing the vulnerabilities that may affect your devices and ultimately put your customers’ deployments at risk of compromise.
Internet of Things device security has become an increasingly critical issue as more security researchers report evidence of compromises and identity exploits designed to take advantage of security gaps in systems and deployment configurations.
At Timesys, we work with leading device makers to implement the best practices for designing security into their systems and maintaining the security over the lifecycle of the products. These best practices include:
Device hardening: How can you prevent attackers from compromising a device and, if they do, how can you limit the damage they can do?
Device security auditing is a type of vulnerability assessment. that is an important first step in device hardening, effectively testing the device to determine its potential security gaps or configuration issues.
Our Secure by Design offering includes security audits and device hardening to enable your products to be more secure from the ground up.
Patch management: Given the vast number of vulnerabilities being reported, understanding which systems or software components need to be updated with a security patch and then applying patches can be a major challenge.
Managing patching at scale is also part of the reason that IoT security can be so challenging.
Timesys Security Vulnerability and Patch Notification can inform you about the available patches for embedded open source software components used in your devices. That accelerates mitigation of vulnerabilities and reduces the risk of your customer suffering a breach.
CVE Monitoring: The flood of CVE notifications can be daunting, but a system for monitoring, analyzing and mitigating vulnerabilities will streamline and simplify the process.
Our CVE monitoring and notification enables you to quickly understand which of the flood of CVE notifications will require action on your part and help to accelerate the response.
That’s especially important in the age of increasing IoT attacks, in which a zero day exploit may emerge that puts your IoT customers at risk.
Timesys TRST Product Protection
At Timesys we have been working with IoT device manufacturers to improve embedded system IoT security across a wide range of device types and applications.
Our Threat Resistance Security Technology (TRST) Product Protection Solutions will help you ensure your embedded products are secure by design, and that they stay secure throughout their lifecycles. Our embedded system security offerings simplify IoT device security for your products and customers.
Contact us to learn more.
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.
You are absolutely correct that there are many elements that should come before the actual auditing step. My statement in the blog was over-simplifying with an assumption that security requirements gathering, initial secure design and other steps had already taken place. I’d also say that hardening can be conducted for products that have already been designed without security consideration for a particular application, or that will be deployed in a new type of environment or use case from originally intended. A hardening exercise for those cases would involve initially assessing and analyzing vulnerabilities by performing an audit that would help prioritize fixing the high risk issues. Thanks for the comment and the observation.
“Device security auditing is a type of vulnerability assessment. that is an important first step in device hardening,……” – disagreed. it is not the first step. neither device security auditing or the vulnerability assessment in general should be the FIRST step in device hardening. It should be the LAST step.